Webserver logs: "Morfeus F***ing Scanner"

security web-server lighttpd

I've just found these accesses in my web server log files:

::ffff:218.38.136.38 109.72.95.175 - [10/Jan/2011:02:54:12 +0100] "GET /user/soapCaller.bs HTTP/1.1" 404 345 "-" "Morfeus Fucking Scanner"
::ffff:218.38.136.38 109.72.95.174 - [10/Jan/2011:02:54:12 +0100] "GET /user/soapCaller.bs HTTP/1.1" 404 345 "-" "Morfeus Fucking Scanner"

Should I start to worry ? Or is it just a normal attempt to hack my server ? thanks


Solution 1:

It's a scanner looking for vulnerabilities in PHP based websites(reference). Script kiddies use these types of things to scan many many websites. You're not necessarily being singled out.

If you're not running PHP, you have nothing to worry about. If you are, I sure hope you're using secure code.

Solution 2:

It's looking for vulnerabilities, and you can deny it access this way in your config: 

$HTTP["useragent"] =~ "^Morfeus" { url.access-deny = ( "" ) }

Related

Embedded Windows XP
Mac/Linux for system administration tasks
What should I look for when monitoring an Amazon EC2 Micro Instance's CPU usage?
ssh without password does not work for some users
What is the best filesystem for backing up on external hard drive?
Munin - Load old/historic data from a database to prepopulate the graphs?
How to test disk latency on Linux?
Google Cloud SQL proxy randomly crashes
Install software on CentOS: binaries or rpm?
Does Varnish support unix domain socket files?
How to clear ZFS DEGRADED status in repaired pool
Debugging my NAT setup